Adding on to the list of goof-ups by Facebook, a new report has surfaced which states that hundreds of millions of users’ passwords were stored in plain text for years. What’s even worse is that Facebook employees had unfettered access to this data.

This security blunder dates back to 2012 and after cybersecurity journalist Brian Krebs published a report on Thursday, Facebook rushed to publish a blog post claiming that the flaw was discovered in January.

But it sparks a question on why Facebook chose to sit on this news for three months and felt it was necessary to inform users only after the report surfaced.

Facebook says that “some user passwords were being stored in a readable format within [our] internal data storage systems.”

According to Brian Krebs’ sources, which includes a Facebook insider, “access logs showed some 2,000 engineers or developers made approximately nine million internal queries for data elements that contained plain text user passwords.”

The social media giant claims it has “found no evidence anyone internally abused or improperly accessed” the password data, but believing this statement requires you to trust Facebook — and the trust factor for the company is running quite low.